PHP Session Identifier Acquirement


title: Session Identifier Acquirement

Session Identifier Acquirement

Session Identifier Acquirement is a vulnerability caused by an attacker being able to either guess the session identifier of a user or exploit vulnerabilities in the application itself or the user’s browser to obtain a session identifier. This attack is a prerequisite to performing a session hijacking attack.

Example

An attacker has a few options to perform a session identifier acquirement attack.

  • Guessing the Identifier: A short and guessable session identifier could allow an attacker to brute-force the ID of a session and get in.
  • Attacking the Browser: In the event you store your session identifier in the browser’s cookies – if your website is vulnerable to cross site scripting an attacker could use the vulnerability to collect session identifier cookies and access high privilege level areas (for example an admin panel).
  • Changing the ID to the attacker’s choice: In older versions of PHP you were able to set the ID of a session in the URL. It’s disabled by default now, if in doubt make sure session.use_trans_sid is false. This is not a common issue anymore, however it can still happen, better safe than sorry.

Defending against Session Identifier Acquirement attacks in PHP

To defend against Session Identifier Acquirement attacks you need to check the attempted session access against several factors to confirm whether it’s a legitimate access and to avoid the user from successfully hijacking the user’s session. Below is an example implementation that can help mitigate the effects of a session identifier acquirement attack. It checks the IP Address, User Agent, and if the Session Expired removing a session before it’s acquired.

<?php session_start(); // Does IP Address match? if ($_SERVER['REMOTE_ADDR'] != $_SESSION['ipaddress']) { session_unset(); session_destroy(); } // Does user agent match? if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['useragent']) { session_unset(); session_destroy(); } // Is the last access over an hour ago? if (time() > ($_SESSION['lastaccess'] + 3600)) { session_unset(); session_destroy(); } else { $_SESSION['lastaccess'] = time(); }

Tips:

  • Store lots of information about the current session (User Agent String, IP Address, Last Access Time, etc)
  • Check every request against information stored about the session (Does it match? If not delete the session and require the user to login again )
  • Sessions shouldn’t last forever – they should expire at a certain point to maintain session security.
  • Rate limit the amount of sessions a user can try to access (did a user try to access 1000+ invalid sessions? Chances are they are guessing – prevent the IP address from trying any more sessions for a few hours).

More Information:

This article needs improvement. You can help improve this article. You can also write similar articles and help the community.